Tag Archives: Cybersecurity

Cyberphysical Forensics: Lessons from the USS John S. McCain Collision

By Zachary Staples and Maura Sullivan

The 2017 back-to-back collisions of two Navy destroyers led to much speculation about the role of cyberphysical interference in the disasters. As the senior officer representing the U.S. Navy engineering community during the USS McCain cyber assessment, it is clear that we do not yet have the basic tools to definitively answer the question, “were we hacked or did we break it?”

Cyberphysical systems are the backbone of the global infrastructure we rely on for transportation, power, and clean water, and are growing at an exponential rate. The deep integration of physical and software components is not without risks and most industries are technically and organizationally unprepared to conduct forensic examinations. The ability to trust cyberphysical systems is dependent on our ability to definitively identify and remedy cyber interference, which is dependent on our understanding of how data flows impact the physical world.

There are broad lessons from the USS McCain cyber assessment that highlight the type of forensics needed to build and sustain cyberphysical infrastructure around the globe. In order to prevent and respond to future cyberphysical events, whether malicious or accidental, the Navy and organizations dependent on cyberphysical systems must establish post-event procedures for cyber forensic investigations, develop trusted images, and integrate threat intelligence with engineering teams.

Post-event Procedures

Post-incident shipboard forensic examination is a unique activity that is separate and distinct from cybersecurity evaluations or responses to network intrusion or malware. Typically, when cybersecurity operations centers observe malicious communications or indications of compromise within their operating network, they have a clear map of the network and key pieces of information, such as an initiating IP address or malware signatures, from which to begin the forensic mission. They start by identifying and classifying malware on the offending endpoint and can take immediate actions to observe the adversary in their system and identify what is being targeted, while simultaneously acting to clean and quarantine the network.

In stark contrast, post-incident cyberphysical assessment requires an undirected baseline on a variety of media, including hard drives from voyage management systems, machinery control stations, and IT network endpoints. Greatly complicating post-incident response is the fact that many segments of the network will likely be shut off by design or physically destroyed by the casualty itself. The task of cyber forensic teams is essentially the equivalent of trying to determine why a building collapsed without blueprints, physical access to the structure, or any data on what happened immediately prior to the collapse.

The technical understanding and research required to define standard operating procedures for shipboard cyber forensic investigations do not currently exist. While the task of developing a comprehensive approach to shipboard cyber forensics is daunting, the military has experience developing specialty training paradigms, such as submarine navigation and tactical aviation. Hunting a cyber adversary in industrial control systems is a complex task requiring unique operational and tactical expertise. An achievable near-term milestone would be to create procedures for an attack surface assessment for a routine pre-planned mission, which could provide a test-bed for developing more comprehensive procedures, as well as a better understanding of capabilities and gaps.

Trusted Images

All ships operate three main networks: the voyage network that supports the safe navigation of the vessel, the engineering network that controls propulsion along with material handling and auxiliary systems, and the administrative network that supports business operations and crew welfare needs. U.S. Navy vessels also have a combat systems network. The interconnectedness of operational and information technology networks means that traditional information technology tools and perimeter-based security solutions are inadequate for cyberphysical systems. For example, the addition of even simple PKI security can overwhelm the processing power of installed cyberphysical processors and cause a system crash instead of preventing unauthorized access. Additionally, in order for systems like GPS to function, the system must allow access to all properly formatted traffic, rendering perimeter defense insufficient. Security for complex cyberphysical systems requires capturing data flows and developing contextually aware algorithms to understand the dynamics during shipboard operations.

To generate network situational awareness sophisticated enough to do cyber forensics, the team will need to search for electronic anomalies across a wide range of interconnected systems. A key component of anomaly detection is the availability of normal baseline operating data, or trusted images, that can be used for comparison. These critical datasets of trusted images do not currently exist. Trusted images must be generated to include a catalog of datasets of network traffic, disk images, embedded firmware, and in-memory processes.

1. Network Traffic: A common attack vector is to find a computer that has communications access over an unauthenticated network, which issues commands to another system connected to the network (i.e. malware in a water purification system issuing rudder commands). Cyberphysical forensics require network traffic analysis tools to accurately identify known hosts on the network and highlight anomalous traffic. If the trusted images repository contained traffic signatures for every authorized talker on the network, it would allow forensic teams to efficiently identify unauthorized hosts issuing malicious commands.

2. Disk Images: Every console on the ship has a disk that contains its operating system and key programs. These disks must be compared against trusted images to determine if the software loaded onto the hard drives contains malicious code that was not deployed with the original systems.

3. Embedded Firmware: Many local control units contain permanent software programmed into read-only memory that acts as the device’s complete software system, performing the full complement of control functions. These devices are typically part of larger mechanical systems and manufactured for specific real-time computing requirements with limited security controls. Firmware hacks give attackers control of systems that persist through updates. Forensic teams will need data about the firmware in the trusted image repository for comparison.

4. In-memory Processes: Finally, advanced malware can load itself into the memory of a computer and erase the artifacts of its existence from a drive. Identifying and isolating malware of this nature will require in-memory tools, training, and trusted images.

In addition to the known trusted images, future forensic analysis would benefit from representative datasets for malicious behavior. Similar to acoustic intelligence databases that allow the classification of adversary submarines, a database of malicious cyber patterns would allow categorization of anomalies that do not match the trusted images. This is a substantial task that will require constant updating as configurations change. However, there are near-term milestones, such as the development of shipboard network monitoring tools and the generation of reference datasets that would substantively improve shipboard cybersecurity.

Organizational Integration

As future shipboard assessment teams work to confirm or refute the presence of cyber interference, they will need the assistance of a cyber intel support team to validate assumptions about their findings aboard the vessel. The basic flow established in the USS McCain investigation was to look at the physical systems involved in causing the collision (i.e. propulsion, steering) and then begin looking for cyberattack vectors to those systems.

Ruling out cyber interference requires evidence of absence, which can be uniquely challenging. In order to refute a particular attack vector, coordination with a cyber intel support detachment is essential to understanding the range of possible cyberattack scenarios for a particular physical effect. For example, advanced cyber effects could be delivered over a radiofrequency pathway. Therefore, cyber investigators will need to understand the electromagnetic environment the ship is operating within, as recorded in national systems, and give access to analysts capable of identifying anomalies in the signal pathway.

Shipboard assessment and cyber intel support teams each have specific sets of expertise necessary to understand the full suite of cyberattack vectors and their potential impacts on shipboard systems. Cyberattack tactics are constantly changing and the highest levels of technical expertise and security clearance are required to keep abreast of the potential methods to penetrate networks and attack industrial control systems. Cyber intel teams will never have the engineering expertise to understand the full range of potential physical impacts on shipboard systems. As was demonstrated with Stuxnet and the attack on the Ukrainian power grid, the most successful cyberphysical attacks exploit the organizational gap between engineering and cyber teams.

Organizational constructs for cyberphysical systems will never be straightforward because cyber risk cuts horizontally across engineering systems and traditional intelligence activities. Organizational integration between the cyber and engineering communities must be practiced and continually refined in order to prevent and respond to cyberphysical interference. A near-term milestone would be to execute joint training exercises between the cyber intel and engineering communities in order to promote cross-disciplinary understanding and begin to build out the template for future organizational integration.

Conclusion

Network connectivity in industrial control systems has revolutionized the way humans interact with physical systems and ushered in a new era of capabilities from energy generation to manufacturing to warfighting. These advancements are not without risks, and to avoid cyberphysical catastrophe, the development of tools to ensure resilience, security, and safety must keep pace. Shipboard forensics provide a prime example of the current gaps in our ability to understand, monitor, and protect cyberphysical systems. The lessons learned from the forensic examination of the USS McCain can provide the foundation for the procedures, data, and organizational constructs required to create modern tools to monitor and protect cyberphysical systems.

Zac Staples had a 22-year career in the United States Navy as a surface warfare officer specializing in electronic warfare. His final tour was as the Director of the Center for Cyber Warfare at the Naval Postgraduate School, where he led inter-disciplinary research and development teams exploring cyber capability development. Zac holds a B.S. in engineering from the U.S. Naval Academy, a Masters in National Security Affairs from the Naval Postgraduate School, and is a distinguished graduate of the Naval War College.

Maura Sullivan specializes in systemic risks and data-driven emerging technologies. Maura was the Chief of Strategy and Innovation at the U.S. Department of the Navy, where she developed and implemented the strategic roadmap for emerging cyberphysical technologies. Previously, Maura led a start-up within the global catastrophe risk company, RMS, developing software and consulting solutions for managing systemic risks for financial and insurance markets. She was a White House Fellow, has a Ph.D. in epidemiology from Emory University and a B.S and M.S. in earth systems from Stanford University.

Zachary Staples (USN, Retired) and Maura Sullivan, PhD are the co-founders of Fathom5, a maritime cybersecurity company.

Featured Image: Operations Specialist 3rd Class Daniel Godwin, from Milton, Fla., stands watch in the Combat Information Center aboard the aircraft carrier USS Enterprise (CVN 65). (U.S. Navy photo)

Port Automation and Cyber Risk in the Shipping Industry

CIMSEC is committed to keeping our content FREE FOREVER. Please consider donating to our annual campaign now so we can continue to provide free content.

By Philipp Martin Dingeldey 

Introduction

To stay ahead of competing ports and technological developments, automation has been heralded as inevitable. Major transshipment hubs and aspiring ports bet their future on automation, which raises the impact  cyber risks could have in the long-run.

Singapore’s Port Modernization

One example of port modernization is Singapore’s Tuas Port Project. To stay ahead of competing ports in Southeast Asia, PSA International and the city state have bet their future on the fully automated port on the western side of the island. The project is set to almost double the port’s current throughput capacity of twenty-foot equivalent units (TEUs) and consolidate all its container operations by 2040.

Singapore’s port is ranked second, behind Shanghai’s mega port, by total TEUs handled. Nevertheless, Singapore’s port is the world’s busiest transshipment hub, and therefore immensely important to global supply chains. The port’s volume growth of 6.4 percent for the first half of 2017 indicates that its investments in modernized berths and joint ventures with liners paid off.

While this is great news for the short term, container vessels on Asia-Europe trade routes will inevitably increase in size, requiring higher handling efficiency to achieve fast turn-around times. By the end of 2018, ultra large container vessels (ULCVs) are expected to gain a share of 61 percent of total capacity, pushing established hubs like Singapore to automate its terminals to stay relevant.

At the same time, next generation container vessels will not only be bigger, but also increasingly automated and even autonomous. As ports and the shipping industry are integral parts of global and regional supply chains, their automation and technological modernization raises the impact and potential of cyber risk.

How Good is Automation?

For Singapore’s port, automation is seen to not only strengthen its position as a transshipment hub well into the future, but also helps it keep up with technological developments and industry trends.

The shipping industry has generally been slow in adapting new technologies, due to its conservative nature and the large number of players involved. Currently, only a fraction of global container volume is handled by fully automated container terminals. In 2016, it was estimated that only 4-5 percent of container volume will be handled by fully automated terminals once ongoing projects were completed. Nonetheless, industry pressure and competition have heightened the need for ports to invest and automate, indicating that the number of automated terminals will increase.

Automated terminals allow ports to handle containers more efficiently by using operating systems to plan storage in accordance with collection and transshipment times. This reduces unnecessary box moves, shortens cycle times, and enables consistent and predictable throughput numbers.

Fully-automated terminals have the advantage of low operating costs and reliable operations, but require higher upfront costs, longer development, offer only low productivity increases at peak times, and have the general difficulty to fully automate a working terminal. On the other hand, semi-automated terminals offer the possibility for greater productivity increases at peak times, are generally understood to have the best overall productivity with less upfront costs, but require higher operating costs and are inconsistent when it comes to handling ULCVs.

While full automation gives large ports like Singapore’s the advantage of reliable, full-time operations at low operating costs, it requires long development times to fix bugs and offers only gradual productivity increases at peak times. On top of that, full automation also increases their vulnerability to cyber risks. This is due to the use of technologically advanced and networked systems.

The investment threshold to enter automation for ports is high, while not necessarily offering major increases in productivity. What automation does offer major port hubs is better predictability and consistency of container moves per hour. Additionally, automation reduces the room for human error, making operations safer. At the same time, automation reduces the environmental impact since terminals are mostly electrified, giving ports an additional competitive edge in an industry increasingly focused on sustainability.

Cyber Risks

The shipping industry and ports are seen by many insiders as underprepared for cyber threats. Even though major players in the shipping industry have recognized and acted on the risks posed by cyber threats, the majority have been slow to recognize potential business risks. Even though awareness has grown, the need for better information sharing persists. Automation further increases the exposure and impact of cyber threats for ports, highlighting the importance of data and system integrity.

The reality of cyber threats to automated terminals was demonstrated in the “NotPetya” cyber-attack in June 2017. The attack forced Maersk to interrupt operations at multiple terminals worldwide, causing logistical havoc for weeks after the attack. Overall, it cost Maersk roughly US$300 million, even though the attack was not specifically directed at the company. The “lucky hit” against one of the industry leaders showcases that even well-prepared firms can suffer financial losses due to cyber threats.

The difficulty with protecting automated terminals from cyber risks lies with their complexity. These terminals use industrial control systems that translate sensorial data and commands into mechanical actions. The network links between mechanical equipment and sensors are exposed to the same threats as data networks. The complexity is further increased by the months and years it can take to figure out and fix bugs and weaknesses in automated systems. In an automated system, different system components have to effectively work together as one, stretching the time needed to figure out and fix bugs. This involves mainly software issues that have to be fixed while also moving boxes of cargo at the terminal.

While ports have to secure themselves from a broad range of risks, cybercriminals can choose from a number of entry points. For example, external vendors, terminal operating systems, and unaware employees may be vulnerable to phishing attacks. Operational systems and data networks are not always up-to-date or properly secured, allowing criminals to gain comparatively easy access to information. To prevent the ports and shipping industry from most attacks, regular operating system updates, stronger passwords, secure satellite connections, resilience exercises, information sharing, and employee awareness campaigns should be practiced.

On top of that, modern ships bear the risk of spreading viruses onto port systems simply via Wi-Fi or other data networks. Industrial control systems are not designed with cyber risks or active network monitoring in mind. This is especially true for ships’ control systems, but can also affect the system components of ports.

Nevertheless, this is only addressing the technical side. The human factor still plays a major role in mitigating cyber risks. Personal details of ship crews can still be easily accessed, making them more vulnerable to social engineering via phishing or other techniques, unknowingly granting access to systems.

Human factors can take the form of criminals, terrorists, competitors, disgruntled employees, and more. Workers at mostly manual terminals, for example, generally do not like automation because it makes their jobs largely redundant. To reduce the chance for cyber threats stemming from or aided by disgruntled employees, ports can offer training and job guarantees to their workforce to make the transition to automation more incremental.

Port authorities, registries, and all major organizations in the shipping industry are increasingly aware of cyber threats and are responding through raising awareness or offering training courses. These are simple steps to better protect information and navigation systems on board ships. For example, BIMCO, the world’s largest international shipping association, made cyber security an important issue for the shipping industry three years ago via an awareness initiative. The association has further advocated the need for guidelines to evolve with the threats, launching the “Guidelines for Cyber Security Onboard Ships” in July 2017, which was endorsed and supported across the industry.

In addition, the Liberian ship registry started a computer-based two-hour cybersecurity training program in October 2017, offering a comprehensive overview of cybersecurity issues aboard ships. Nevertheless, it is unlikely that these courses and campaigns are enough to protect the industry. While it is a step in the right direction, more needs to be done through regulations.

Conclusion and Policy Recommendations

Since 2016, the International Maritime Organization (IMO) has put forward voluntary guidelines regarding cyber risks. Only after 2021 does the IMO plan to enforce a set of binding regulations on cybersecurity. This might be too late for many companies in the industry. Shipping companies should not wait until 2021, but should begin now to implement simple measures, like using firewalls and stronger passwords, to deter criminals from trying to exploit current weaknesses.

Further, even though the IMO adopted guidelines on maritime cyber risk management into the International Safety Management Code this year, ports and the shipping industry still need to establish a stronger culture on cybersecurity.

Major shipping hubs are part of large and less resilient supply chains, which are essential for regional and international trade. These supply chains depend on a small number of key ports, which are vulnerable to shocks from other ports. To make supply chains and port hubs more resilient to cyber risks, the shipping industry as a whole will have to adjust and prepare.

Companies will have to work together and share information on previous or ongoing attacks, so that experiences and best practices can be shared directly. Unfortunately, this has been difficult to achieve due to worries about how competitors may use the shared information. Singapore has set up the Port Authorities Focal Point Correspondence Network to further the exchange of information on past and current incidents. It remains to be seen if this network has worked to encourage the sharing of information.

Ports are logistical hubs where many companies compete for business, making information sharing naturally difficult. Currently, port security is based on the International Ship and Port Facility Security (ISPS) Code, which is heavily focused on the physical aspects of security. In order to make cyber risks a much more important issue for port security, the whole sector needs to step up and make it a priority.

Cyber risks are not just a technological matter, but require adequate awareness and planning to strengthen a port’s resilience. Training employees actively in security protocols and procedures with information systems is one way of achieving this. At the same time, ports need to engage in contingency and scenario planning to be better prepared should an attack occur. On top of all this, national bodies (e.g. institutes of standards) need to give better guidance on security testing and planning for ports, which should be supplemented by binding guidelines on reporting and information sharing mandated by global bodies like the IMO.

Philipp Martin Dingeldey is a Research Analyst with the Maritime Security Programme at the Institute of Defence and Strategic Studies (IDSS), S. Rajaratnam School of International Studies (RSIS), Nanyang Technological University (NTU), Singapore. For questions and follow-ups he can be reached at research.pmdingeldey@gmail.com.

Featured Image: Port of Singapore (XPacifica/Gettyimages)

NAFAC: The 4th Battle for the Atlantic and Technology’s Impact on Warfighting

By Sally DeBoer

For the past fifty-six years, the United States Naval Academy has hosted the Naval Academy Foreign Affairs Conference (NAFAC). NAFAC, planned and executed by the midshipmen themselves, brings together outstanding undergraduate delegates as well as notable speakers, scholars, and subject matter experts from around the nation and the world to discuss a current and relevant international relations issue. The theme for this year’s conference, A New Era of Great Power Competition?, seeks to explore the shifting dynamics of the international system, challenges to a U.S. – led world order, the nature of potential future conflicts, the challenge of proto-peer competitors and rising  as well as what steps the U.S. might take to remain the primary arbiter of the international system at large. As this topic is of great interest to CIMSEC’s readership, we are proud to partner with NAFAC in this, their 57th year, to bring you a series of real-time posts from the day’s events in Annapolis, MD. CIMSEC would like to recognize MIDN 1/C Charlotte Asdal, NAFAC Director, and her staff for allowing us to participate in this year’s events and for inviting our readership to virtually share in the week’s rich academic environment.

Robert H. McKinney Address – Vice Admiral James Foggo, III, Director, Navy Staff and Former Commander 6th Fleet

“The greatest leaders must be educated broadly.” – Gen. George Olmstead

Vice Admiral James Foggo III addressed midshipmen and delegates Thursday morning, the last day of the NAFAC conference. The address, bolstered by personal anecdotes, videos, and photographs from the Navy Staff Director and former 6th Fleet Commander, largely addressed the question of great power competition from the perspective of the United States’ relationship with the Russian Federation. The admiral’s address familiarized the audience with recent history and current operations within the Mediterranean, Arctic, Baltic and beyond, informing the day’s discussion on the evolution of great power competition in the coming decades.

What Makes a Great Power?

To begin, VADM Foggo was careful to define the terms used in answering the question: Are we in a new era of great power competition? The admiral expressed confidence that the United States remains the greatest nation in the world, providing exposition on what makes the United States a great power.  Great powers, he explained, go beyond the sum of their people, economic, or military strength to offer ideas, opportunity, and leadership, using their power to affect change for the world’s weakest and most vulnerable populations. Russia, he went on to conclude, is not by this definition a great power – their “sum” qualifies the Federation as a major power, but their actions, primarily enacted in self-interest, disqualify them from great power status.  Understanding this distinction is crucial.

The 4th Battle for the Atlantic

VADM Foggo provided helpful historical context for the historical relationship between the Soviet Union/Russian Federation and the United States. The First Battle for the Atlantic, he explained, occurred during the course of World War One, while the Second, where the United States and her allies defeated axis powers relentless undersea tactics with “grit, resolution, the submarine detection system, and the lend-lease program to Britain.” The third battle, he explained, occurred during the course of the Cold War. An unclassified report based on the 3rd Battle Innovation Project commissioned by the United States Submarine Force on the contribution of U.S. undersea assets to U.S. victory in the Cold War concluded with the following sentiment: “someday, we may face a 4th Battle of the Atlantic.” VADM Foggo asserted that we are, indeed, in the midst of this battle now. The admiral and his co-author Alarik Fritz of the Center for Naval Analysis, collected their thoughts in an article published by the United States Naval Institute,  “The 4th Battle for the Atlantic.”

Rising Tensions 

VADM Foggo characterized the aforementioned 4th Battle for the Atlantic though a series of examples and anecdotes. Beginning with Russia’s invasion of Georgia in 2008, the United States exercised its responsibility as a great power to seek to deescalate tensions and compromise where possible by pursuing the Reset policy with the Russian Federation. This policy, he explained, did not work as intended. In 2014, the U.S. was once again surprised by Russia’s aggressive and illegal actions in Ukraine. This unjustified action, he went on, is an example of why Russia is not a great power, but rather only a major power. This action partially inspired the “back to basics” policy for U.S. defense thinkers and policymakers called for by ADM Greenert.

Admiral Foggo recommended several books to the audience, including ONI’s Russian Navy report, which he emphasized was a “must read” for tomorrow’s defense and foreign policy leaders.

Continued Vigilance

VADM Foggo explored a few key areas where Russia is challenging U.S. and allied interests, providing tangible examples. In the Arctic, he explained, Russians currently operate seven former Cold War bases at company- and battalion- strength units with an endurance of a year or more. Russia has militarized the Arctic, which concerns the U.S. and our allies, particularly the Norwegians, regarding restricted access to international waters. To drive this point home, the admiral displayed a photograph of the Russian flag planted at the geographical North Pole, moved there by a Russian submersible.

U.S. Navy ship encounters aggressive Russian aircraft in Baltic Sea, April 12, 2016. (U.S. European Command)

Given the venue of the conference, VADM Foggo appropriately addressed his professional experience with aggressive actions by the Russian Federation at sea. Beginning with the Su-24 flyby of the USS Donald Cook (DDG-75) in the Black Sea, during which, he emphasized, the wingtip of the Russian aircraft was no more than 30 feet from the deck of the destroyer, the Russian Naval forces escalated tensions in response to U.S. presence in Russia’s adjacent international waters and beyond. The admiral explained the import of strategic communication to gain the moral high ground, which the U.S. achieved by declassifying and releasing an image of the Su-24 narrowly off the bridge wing of the Donald Cook, along with diplomatic protest and meaningful presence in the form of BALTOPS 2016.

“49 Ships Became 52”

BALTOPS is a NATO exercise to improve and display the interoperability of allied forces. The 2016 exercise communicated a clear strategic message; the exercise boasted three amphibious landing operations (versus the previous year’s two), extensive anti-submarine warfare (ASW) operations with three allied submarines and maritime patrol and reconnaissance (MPRA) aircraft, and more. In an effective anecdote that illustrated the Russian response to the exercise, the admiral shared that when reviewing photos from the PHOTOEX conducted during BALTOPS, 52 ships appeared in the photograph – 49 allied vessels, two Russian destroyers, and a Russian AGI. “49 ships, he recalled, became 52.” Tellingly, the Russian response to the success of the strategic messaging of the exercise included “a Stalin-like purge of Russian commanders in the Baltic Fleet,” due to their unwillingness to challenge western ships. Further reinforcing the point, VADM Foggo shared moreexamples of his interactions with Russian counterparts in multilateral and bilateral discussions.

Looking Forward – “The Surest Guarantee of Peace”

The tone of VADM Foggo’s remarks was one of stark realism, but also optimism as well. The admiral expressed confidence in the forces that were under his command, but reiterated to the audience of future diplomatic and military leaders the crucial nature of continued vigilance and continued action in support of the United States’ responsibilities as a great power. He included a timely example – the recent strikes on a Syrian airbase in response to the use of chemical weapons by the Assad regime. “Great powers react, but they react proportionally,” the VADM concluded, expressing belief in the possibility that such actions can bring compromise – a concept, he said, a great power should pursue and prioritize.

Technology and Cyber-Competition Panel

Note: The following information is paraphrased from the panelists’ remarks – their thoughts, remarks, and research are their own and are reproduced here for the information of our audience only.

Panelists Brigadier General Greg Touhill, USAF (ret.), the First Federal Chief of Information Security Officer, Mr. August Cole, Senior Fellow at the Atlantic Council and co-author of Ghost Fleet, and Dr. Nicol Turner-Lee, Fellow at the Center for Technology and Innovation at the Brookings Institution, were given the opportunity to provide open-ended remarks before the question and answer portion of the panel.

A Strategic Framework for Cybersecurity

Cybersecurity is a provocative issue, and General Touhill used his opening remarks to dispel some common rumors about the cyber realm. This is not a technology issue, he went on, but a risk management issue; it is an instrinsic facet of [the United States’] national economy and security to be sensitive to the protection of our technology, information, and competitive advantage. Cybersecurity, he explained, is not all about the tech, but rather about the information. When considering cyber strategy, the General contended that a direct, simple strategy is best and most likely to be effectively executed. To this end, he outlined five lines of effort:

  • Harden the workforce: risk exposure is tremendous, as our culture, norms, and economy rely on automated information systems – this includes home, federal, and corporate entities
  • You can’t defend what you don’t know you have. Information is an asset, and should be treated as such.
  • Within five years, every business will be conducting asset inventory and valuation of its information as any other asset – some entities within the Federal Government, he explained, may not appreciate the value of their information and may not even realize they have it.
  • Do the right things, the right way, at the right time: Cyber hygiene is great, but has to be applied smartly – 85 percent of breaches, he explained, are due to improper patching of common vulnerabilities. The basics come first – stakeholders should update apps, OS, and apply other simple fixes. Care and due diligence is required.
  • Investment. The General introduced “Touhill’s Law,” which contends that one human years accounts for twenty five “computer” years – by this math, some machines in the federal government architecture are several thousand years old. Depreciation and recapitalization are key; from a strategic standpoint, neglecting this reality is a failure.
  • It’s all about the risk. In a contemporary sense, much of the risk is deferred to server management teams and IT, and decisions on that risk are not being made at the right levels.

The general indicated a desperate need for a cogent strategic cyber framework on which to operate and that these five lines of effort are a good foundation for such a framework.

Fiction’s Role in Challenging Assumptions

August Cole, a noted analyst and fiction author, began by recounting the impact that Tom Clancy’s 1986 thriller Red Storm Rising had on his life. As a fiction author, he went on the explain, his job is to think the unthinkable, devoting intellectual energy and professional attention to considering tomorrow’s conflict from a multitude of perspectives. Fiction, Cole explained, allows us to consider an adversaries perspective and confront our own biases to present a bigger truth.

Cole and his co-author Peter Signer’s novel Ghost Fleet addresses the rise of China – the book starts a conversation in an engaging way that captured the authors’ imagination. The writing process caused the authors to confront some uncomfortable truths. The American way of war, he said, is predicated on technical superiority that isn’t necessarily in line with our evolving reality. The reliance on tech creates a vulnerability, and through the lens of great power competition, we should be thinking about the difference between our assumptions about conflict and how conflict will actually be. One must challenge their assumptions, and resist the urge to fall in love with their own investments.

Information as a Commodity and Vulnerability

As a policy analyst and social scientist, Dr. Turner-Lee looks to understand behaviors that are overlaid with technology – she has focused on what we need to do to create equitable access to technology. Tech, she explained, is changing the nature of human behavior and increasing vulnerabilities. We must consider, she said, how we are contributing to the evolution of the tech ecosystem from the realm of consumption to an entity that effects the fabric of national security. What we understand as being “simple” actually isn’t, and what started as a privacy discussion has evolved into a security issue. When considering social media, Dr. Turner-Lee went on, it is interesting to see how 140 characters can become the catalyst for campaigns that threaten national security.

Dr. Turner-Lee  mentioned the concept of pushback from technology companies against government requests for information and policies that need to be engaged to address this. There is a role, she explained, for the military to identifies vulnerabilities, while companies are appointing chief privacy officers and innovation officers, while lastly, the research community needs people to understand how information has become a commodity. As researchers, she explained, she and her colleagues are trying to find vulnerability and understand the impact on our national economy by looking at the nature of human behavior prescribing the right policies to ensure threats are minimized.

Given the current security landscape for cyber, what do you see as the greatest cyber threats facing the U.S.?

Brig. Get Touhill explained that at the Department of Homeland Security, they binned threats into 6 groups:

  • Vandals – frequent and common
  • Burglars – financially motivated and prevalent 
  • Muggers – this includes hacks like SONY as well as cyber-bullies
  • Spies – can be either insiders or traditional political-military threat looking to gain a competitive edge by stealing intellectual property.
  • Sabatuers – pernicious, difficult to find, and could be, for example, an individual who is fired but retains access to a system.
  • Negligent Users – This group constitutes the greatest threat. This group includes the careless, negligent, and indifferent in our own ranks.

China has been evidently and aggressively pursuing AI, hypersonic, quantum computing, and other next-generation technology – what does this mean for our assumption about the American way of war over the next several decades?

August Cole explained that the U.S. must directly confront the assumption that we will always have the edge of technical superiority – this may very well remain true, he said, but we cannot count on it. From a PRC military point of view, they look to not only acquire capabilities but further their knowledge on how best to employ them. We must, he went on, work to connect information and technology that we would not instinctively put in the same basket by considering, for instance, the battlefield implications of a hack on a healthcare provider who serviced military personnel. Technology, he explained, will alter the relationship between power and people, and understanding this connection is complex and difficult. Fiction allows us to synthesize these realms in a way that may be difficult otherwise – and appreciate the operational implications.

How has social media impacted our ability to monitor and address national security threats?

Dr. Turner-Lee began by exploring the implication of emerging social media tools that do not curate data (think Snapchat), explaining that as encryption technology has become more sophisticated, it has further complicated the national security problem. Nicole referred to “permission-less innovation,” meaning that the tech community continues to innovate in ways that cannot be controlled and this innovation is sometimes disruptive. Social media, she went on, is not always designed with privacy in mind, and enacting privacy policies has been reactionary for many companies.

Turner-Lee addressed the general hesitation of users to hand over or allow the collection of their information – personal data, she said, is seen as just that – personal – and companies promote this quality in their tech. For instance, she alluded to the current lawsuit between Twitter and the federal government over the identities of disruptive Twitter accounts. The disconnect between privacy and security, she concluded, can sometimes constitute a weakness.

The moderator pointed out that while tech has developed, policy has lagged. Mr. Cole added that the “internet of things” provides a corollary to this. Further development of wearable or say-to-day tech that generates and collects data automatically has national security implications. He provided an example in the domain of land warfare, suggesting that operators could notionally create a digital map based on device feedback. The data and processing power to make these analytics will exist, he affirmed, but we haven’t considered it.

Dr. Turner-Lee further elaborated that machine-to-machine interactions, which are based on algorithms that predict what you will or will not do, sustain a threat to national security when those algorithms are incorrect or tampered with. For instance, autonomous vehicles could be hacked and directed in a way that makes them a vehicular bomb. Overcoming machine-to-machine bias is very difficult and constitutes a security risk proportional to our dependence on machine-to-machine tech. This is a space, she said, with many vulnerabilities, driving itself in ways we are unaware of.

Conclusion

The final day of NAFAC 2017 proved a fitting end to three days of intense discussion and consideration on the topic of a new era of great power competition. VADM Foggo’s address brought a much needed operational perspective to the delegates and attendees, relaying the seriousness and immediate applicability of the question at hand, particularly for those midshipmen who will be serving aboard operational vessels in just a few short months. Further, the Technology and Cyber-Competition panel provided much needed context for the changing nature of tomorrow’s conflicts, challenging many long-held assumptions about the way of war.

Our representatives were impressed with the diligence, research, and creative thought participants brought to the round table panels. Readers can look for select publications from the Round Tables next week, when CIMSEC will share outstanding research essays from delegates. CIMSEC is extremely grateful to the United States Naval Academy, MIDN Charlotte Asdal and her NAFAC staff, and senior advisors and moderators for allowing us to participate in this year’s conference and share the great value of this discussion with our readership.

Until next year!

Sally DeBoer is the President of CIMSEC for 2016-2017. She can be reached at president@cimsec.org.

Featured Image: A CH-53E Super Stallion helicopter flies ahead of the amphibious assault ship USS Peleliu (LHA-5) after conducting helocast operations at Pyramid Rock Beach, Marine Corps Base Hawaii. The helocast was part of a final amphibious assault during Rim of the Pacific (RIMPAC) Exercise 2014. (U.S. Marine Corps photo by Cpl. Matthew Callahan/Released)

The Fight to Know

By Jack Whitacre

The relationship between the sea and information is ancient. In 480 BC, the Greeks learned of a secret naval invasion planned by the Persians. According to Simon Singh in The Code Book, the message was delivered steganographically on a covered tablet giving sufficient time to prepare for a defense that ultimately led to victory.1 Through information theory, the quantitative theory of coding and transmission of signals and information, we discover that information is a physical property of our reality and a resource to be guarded. In the words of Charles Seife, “Information is every bit as palpable as the weight of bullet, every bit as tangible as the heft of an artillery shell—and every bit as vulnerable as a freighter full of ammunition.”2

Today’s maritime security hinges on information. As Admiral (ret.) James Stavridis  argues, nowhere is the gap between threat (high) and defensive capability (low) as large as on the cyber front. Derived from ‘cybernetics,’ “cyber” loosely refers to information loops and everything that is connected to a computer network. The shipping industry (which feeds, fuels, and clothes our country) is growing increasingly connected to the internet and therefore more vulnerable to cyber attacks. New cyber technologies are also being used in the maritime field to solve climate and natural resource puzzles — both keys to long term human survival. Through cyber education and training, citizens and leaders can gain an edge in the digital world and invest themselves in solving some of the most pressing maritime security problems.

Oceanic Applications

Our relationship to the ocean has been transformed by cyber. As John C. Perry outlines in “Beyond the Terracentric,” the ocean can be seen as an avenue, arena, and source.3 Before the standard shipping container system was invented, ships were unloaded with back-breaking efforts of manual laborers. Today, cranes take care of the work, moving containers from the ship to the shore (and vice versa). Sometimes loading and unloading is done with humans operating joysticks, while in other places computer programs sift through the manifests and unload using algorithms. Automatic ports may be targeted by external actors looking to manipulate freight shipments for their benefit.

In 2016, The Economist and The Journal of Commerce chronicled the sagas of the Port of Long Beach, California and the Port of Rotterdam, Netherlands and their transitions towards automation. When viewing an operation with computerized manifests, automatic cranes, and even driver-less trucks moving containers, it is imperative to remember that what is connected can be compromised at every level. Such an interconnected world increases the opportunities for external targeting while raising the stakes for maritime security for the United States. Estimates show that ninety percent of the world’s goods are imported by sea.4 As a single example, each year more than $180 billion of goods (or 6.8 million containers) pass through the Port of Long Beach.5 A brief interruption in shipping made by a foreign government, company, or private individuals would likely ripple through a nation with economic effects reverberating up and down the supply chain.

On the bright side, new computer technologies may allow us to more easily monitor changes in ocean health conditions. With improved information, states and actors can ensure better protection for the ocean and fish that are crucial to industry and food supplies, especially in disputed areas. States can track each other and keep accountability through satellites and technologies like AIS (automatic identification system). New cyber capabilities like The Internet of Things (IoT) may allow us to revolutionize ocean data analysis and create new levels of environmental responsibility. Social entrepreneurship ventures like Blue Water Metrics now aim to crowdsource data collection via the world’s oceangoing shipping fleets and upload all the ocean data to a cloud database. Educating state leaders offers the best chance of maximizing the positive externalities of technological change, both in protecting natural resources and shipping assets.

Preparing Cyber Leaders

Increasing information literacy will improve competitiveness in nearly every field. Studying information theory, encryption, and coding with the same vigor as foreign languages may transform an individual’s field and personal career trajectory. In the book Dark Territory, Fred Kaplan describes how Cyber Command personnel grew from 900 to 4,000 between 2009 to 2012, and is expected to climb to 14,000 by the end of 2020.6 Established academic institutions could recognize certificate programs from organizations like Codecademy via transcript notations, which may improve educational and employment prospects.

 (March 25, 2011) – Aerographer’s Mate 3rd Class Nick Pennell, a watch stander at the Naval Oceanography and Anti-Submarine Warfare Center, looks over a Japan Self-Defense Force Mobile Operations sheet at Commander Fleet Activities Yokosuka (CFAY). (U.S. Navy photo by Mass Communication Specialist 3rd Class Mikey Mulcare/Released)

Cyber education can be seen both as a patriotic duty and as an economic opportunity. As far back as 1991 the National Research Council observed that “the modern thief can steal more with a computer than with a gun.”7 By educating tomorrow’s cyber leaders, institutions, and community, organizations can empower people to defend themselves intelligently against thieves and reinvent themselves by beginning careers in the digital world.

The Polaris of Programming

Not all innovation needs to be forward looking. In the evolutionary dance between encryption and decryption, centuries passed before certain “unbreakable” codes were broken. The Fletcher School at Tufts University combines international studies and the analysis of world events with cyber studies in its course Foundations of International Cyber Security. Scholar practitioners, such as Michele Malvesti, offer unique perspectives on the past and the pipeline of the future, including the importance of supply stream, deterrence, and attribution. Graduate-level cyber curricula can unlock strategic chess moves for governmental, citizen-led, and private organizations alike. Incorporating history in computer science education, like Harvard’s course Great Ideas in Computer Science, can provide fertile intellectual context where principles can be appraised and applied in modern contexts. Scientists throughout history, like Abu Yusuf Yaqub, Blaise de Vigenere, and Charles Babbage make great role models along with programmers like Ada Lovelace and RDML (ret.) Grace Hopper.

Conclusion

When programming is seen as an essential language, computer history as a strategic advantage, and information as an environmental and security opportunity, our digital tribe will be better able to overcome uncertainty and adversaries.

An entrepreneur and former boat captain, Jack Whitacre studied international security and maritime affairs at The Fletcher School of Law and Diplomacy. Contact him at James.C.Whitacre@gmail.com.

References

1. Simon Singh, “The Code Book: How to Make it, Break it, Hack it, Crack it,” 2001, p.8

2. Charles Seife, “Decoding the Universe,” p. 8

3. John C. Perry, “Beyond the Terracentric: Maritime Ruminations,” 2013, p.143

4. Rose George, “Ninety Percent of Everything: Inside Shipping, the Invisible Industry That Puts Clothes on Your Back, Gas in Your Car, and Food on Your Plate,” 2013.

5. Port of Long Beach. “Facts at a Glance.” The Port of Long Beach: The Green Port. The Port of Long Beach. February 8th, 2017. http://www.polb.com/about/facts.asp

6. Fred Kaplan, “Dark Territory: The Secret History of Cyber War,” 2006, p. 4

7. Ibid.

Featured Image: The Port of Los Angeles in Feb. 2013. (Tim Rue — Bloomberg/Getty Images)